Azure Container Registry scan errors out (400 Bad Request).

• The addition of the registry information (Defend > Vulnerabilities > Images > Registry settings) does not trigger scans
• The registry scans tend to fail with the "400 Bad Request" error as seen on the Console 'debug' logs

• Regardless of any changes made to the registry information except the credentials section, the scans fail or do not respond
• Since the scans fail, no results are visible under Compute > Monitor > Vulnerabilities > Images > Registries

• Prisma Cloud Compute - Self hosted & SaaS (all versions)
• Azure container registries (ACR) - all versions

• The cause of this issue is the use of incorrect credentials. The credentials used for the Azure container registry (ACR) must be checked to see if they are in accordance to the requirements mentioned in the documentation
• The use of incorrect URL would still output no results, however for the specific error: 400 Bad Request, the use of incorrect "service key" or "temporary token" (imported from Azure credentials present in Prisma Cloud/CSPM) are the root cause

• The issue is resolved when we use the correct credentials. The correct credentials in this case, means the use of "Service Key" to authenticate with the Azure container registry (ACR)

• As mentioned in the documentation, an "Azure Service Principal" must be created with an appropriate role according to the requirements of the user, the "contributor" role is suitable for use in Cloud Discovery + Azure Container Registry Scanning + Azure Function Apps Scanning while the "reader" role should be sufficient for use in Cloud Discovery + Azure Container Registry Scanning

• On completing the configuration as instructed above, the scans start to trigger and the results can be seen on the Prisma Compute Console as shown in the screenshot below

Related documentation:

• Scan images in Azure Container Registry (ACR)
• Credential stores
• Configure Registry Scans